100 lines
3.0 KiB
YAML
100 lines
3.0 KiB
YAML
# Copyright 2023 Google LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
variables:
|
|
GOOGLE_CREDENTIALS: cicd-sa-credentials.json
|
|
FAST_OUTPUTS_BUCKET: ${outputs_bucket}
|
|
FAST_WIF_PROVIDER: ${identity_provider}
|
|
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
|
|
%{~ if tf_var_files != [] ~}
|
|
TF_VAR_FILES: ${join("\n ", tf_var_files)}
|
|
%{~ endif ~}
|
|
|
|
workflow:
|
|
rules:
|
|
# merge / apply
|
|
- if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
|
|
variables:
|
|
COMMAND: apply
|
|
FAST_SERVICE_ACCOUNT: ${service_accounts.apply}
|
|
TF_PROVIDERS_FILE: 0-bootstrap-providers.tf
|
|
# pr / plan
|
|
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
|
|
variables:
|
|
COMMAND: plan
|
|
FAST_SERVICE_ACCOUNT: ${service_accounts.plan}
|
|
TF_PROVIDERS_FILE: 0-bootstrap-r-providers.tf
|
|
|
|
stages:
|
|
- gcp-setup
|
|
- tf-plan-apply
|
|
|
|
# TODO: document project-level deploy key used to fetch modules
|
|
|
|
gcp-setup:
|
|
stage: gcp-setup
|
|
image:
|
|
name: google/cloud-sdk:slim
|
|
artifacts:
|
|
paths:
|
|
- cicd-sa-credentials.json
|
|
- providers.tf
|
|
id_tokens:
|
|
GITLAB_TOKEN:
|
|
aud:
|
|
%{~ for aud in audiences ~}
|
|
- ${aud}
|
|
%{~ endfor ~}
|
|
before_script:
|
|
- echo "$GITLAB_TOKEN" > token.txt
|
|
script:
|
|
- |
|
|
gcloud iam workload-identity-pools create-cred-config \
|
|
$FAST_WIF_PROVIDER \
|
|
--service-account=$FAST_SERVICE_ACCOUNT \
|
|
--service-account-token-lifetime-seconds=900 \
|
|
--output-file=$GOOGLE_CREDENTIALS \
|
|
--credential-source-file=token.txt
|
|
- gcloud config set auth/credential_file_override $GOOGLE_CREDENTIALS
|
|
- gcloud alpha storage cp -r "gs://$FAST_OUTPUTS_BUCKET/providers/$TF_PROVIDERS_FILE" ./providers.tf
|
|
|
|
tf-plan-apply:
|
|
stage: tf-plan-apply
|
|
dependencies:
|
|
- gcp-setup
|
|
id_tokens:
|
|
GITLAB_TOKEN:
|
|
aud:
|
|
%{~ for aud in audiences ~}
|
|
- ${aud}
|
|
%{~ endfor ~}
|
|
image:
|
|
name: hashicorp/terraform
|
|
entrypoint:
|
|
- "/usr/bin/env"
|
|
variables:
|
|
SSH_AUTH_SOCK: /tmp/ssh-agent.sock
|
|
script:
|
|
- |
|
|
ssh-agent -a $SSH_AUTH_SOCK
|
|
echo "$CICD_MODULES_KEY" | ssh-add -
|
|
mkdir -p ~/.ssh
|
|
ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
|
|
ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
|
|
- echo "$GITLAB_TOKEN" > token.txt
|
|
- terraform init
|
|
- terraform validate
|
|
- "if [ $COMMAND == 'plan' ]; then terraform plan -input=false -no-color -lock=false; fi"
|
|
- "if [ $COMMAND == 'apply' ]; then terraform apply -input=false -no-color -auto-approve; fi"
|